Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/03/2025, 14:36
Static task
static1
Behavioral task
behavioral1
Sample
RFQ.exe
Resource
win7-20240903-en
General
-
Target
RFQ.exe
-
Size
881KB
-
MD5
768bed9843a8a7c96699b27fc40b8819
-
SHA1
4ae495c3540252bef39276bf6e9fc84435f7b7bb
-
SHA256
aa653ad0d107b2d7ab98d4ede0eef147b73fbd7eb2f522f0bf608f833daebe34
-
SHA512
e23d433ac20532c512d2f2db1badbf4a2e43d2c28ff73553e2de79d82a012dbe1afe81d59bc830f4606ff3b54b08cbbcbd2b6448cdb12a3246ffb4607ac93539
-
SSDEEP
12288:TfNeE6xIVKGJA1R1MbXgf+GH4oGSlhA8b06JJe4Ii3QOeGiTJyxwC1ht2ddT+:wE6xcA1LMbDqXm8b0iJ7r6cxvE
Malware Config
Extracted
darkcloud
https://api.telegram.org/bot7725030292:AAFHYtQUWDdOhIko2DIqyexjh4XvUaOA1Fs/sendMessage?chat_id=6732456666
Signatures
-
Darkcloud family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2820 powershell.exe 2660 powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2392 set thread context of 2000 2392 RFQ.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RFQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RFQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2796 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2820 powershell.exe 2660 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2000 RFQ.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2820 powershell.exe Token: SeDebugPrivilege 2660 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2000 RFQ.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2392 wrote to memory of 2820 2392 RFQ.exe 30 PID 2392 wrote to memory of 2820 2392 RFQ.exe 30 PID 2392 wrote to memory of 2820 2392 RFQ.exe 30 PID 2392 wrote to memory of 2820 2392 RFQ.exe 30 PID 2392 wrote to memory of 2660 2392 RFQ.exe 32 PID 2392 wrote to memory of 2660 2392 RFQ.exe 32 PID 2392 wrote to memory of 2660 2392 RFQ.exe 32 PID 2392 wrote to memory of 2660 2392 RFQ.exe 32 PID 2392 wrote to memory of 2796 2392 RFQ.exe 34 PID 2392 wrote to memory of 2796 2392 RFQ.exe 34 PID 2392 wrote to memory of 2796 2392 RFQ.exe 34 PID 2392 wrote to memory of 2796 2392 RFQ.exe 34 PID 2392 wrote to memory of 2000 2392 RFQ.exe 36 PID 2392 wrote to memory of 2000 2392 RFQ.exe 36 PID 2392 wrote to memory of 2000 2392 RFQ.exe 36 PID 2392 wrote to memory of 2000 2392 RFQ.exe 36 PID 2392 wrote to memory of 2000 2392 RFQ.exe 36 PID 2392 wrote to memory of 2000 2392 RFQ.exe 36 PID 2392 wrote to memory of 2000 2392 RFQ.exe 36 PID 2392 wrote to memory of 2000 2392 RFQ.exe 36 PID 2392 wrote to memory of 2000 2392 RFQ.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ.exe"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RFQ.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wOPQRmK.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wOPQRmK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp90F9.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2796
-
-
C:\Users\Admin\AppData\Local\Temp\RFQ.exe"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2000
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD543ad240df69e8512d2ae3b16362c31de
SHA165b7834313b48e40e2792bff9a9de0a50484d5d4
SHA2560705752aef87c370e3fb91cabb12ce8dd04d98cbdf52b4cf3a15c2f40d5b68b6
SHA51230b46fcaab2284489a2baaf51a8207843241cf21bb00e6f4de086d82476cedb41b928cbde350be1a3640fa5ab9704455f38958efb55466cc0d968236bb5cc8cf
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0ZYVTHLAT18Q2OG5UQQO.temp
Filesize7KB
MD5ed85a864fd9e00506b464a57a50ebd4d
SHA15e888e85e2abe9641a04cef2b540b0c0a9ed3be3
SHA256c790f61bfffd6c70f5de66cd7a3b26134b01695e0dd550945f6c87fec8d9c028
SHA512de426776683f9e8638df8283f986b8e8b1f2018b2c3a35d3250f072d449cb30059453053d32ed22d845c6ca0d6448cf6ec93218a8f767f0303f8bd05c16d4d09